According to the FBI and the Department of Homeland Security, ransomware attacks are going to dramatically increase for hospitals, clinics, and other healthcare providers in the coming months. This insight led to a conference call with industry leaders and government officials to go over the details. The story comes from our friend Brian Krebs at KrebsOnSecurity. His articles goes on to state: “The Department of Health and Human Services (HHS), warned those on the call about ‘credible information of an increased and imminent cyber crime threat to US hospitals and healthcare providers.'”
None of the involved departments gave out Indicators of Compromise (IoCs) during the call, but told everyone to patch and report any suspicious behavior. Alex Holden, from Hold Security, “said he saw online communications … between cyber criminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.” But, there is an issue with trying to compile IoCs for Ryuk, because each Ryuk attack is unique to each victim. Given that fact, Mandiant has still released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day.
The Cybersecurity and Infrastructure Security Agency (CISA) did release an official advisory detailing potential attacks and TTPs for TrickBot, BazarLoader, Conti, and Ryuk. There are also many great resources listed on the last few pages of the report that many of our Engineers will want to check out.